-----------------------------------------------------------------------
 OTRS Security Advisory 2007-01                      <security@otrs.org>
 -----------------------------------------------------------------------
 ID:           OSA-2007-01
 Date:         2007-05-24
 Title:        Vulnerabilities in OTRS agent mailbox view allows
               Cross-Site-Scripting
 Severity:     Less critical
 Product:      OTRS 2.0.x,
 Fixed in:     OTRS 2.0.5
 Not affected: OTRS 2.1.x, OTRS 2.2.x
 URL:          http://otrs.org/advisory/OSA-2007-01-en/
 ----------------------------------------------------------------------

This Advisory covers one vulnerabilities in the OTRS agent mailbox
view.


Input fields allows injection of script code

  Missing HTML quoting allows an agent in the mailbox view (only in
  a valid session) the injection of HTML tags.

  This vulnerability allows an attacker to inject script code
  into the OTRS webinterface which will be loaded and executed
  in users browsers.


Affected by these vulnerabilities are all releases of OTRS 2.0.0 up
to and including 2.0.4.

This vulnerability is fixed in OTRS 2.0.5.

Fixed OTRS releases can be found at:

 o ftp://ftp.otrs.org/

As a workaround you can update from cvs the file
Kernel/Modules/AgentTicketMailbox.pm to to version 1.4.2.3
(http://cvs.otrs.org/).

Please send informations regarding vulnerabilities in OTRS to
<security@otrs.org>.

Copyright (c) OTRS GmbH, <http://otrs.org/>